I'm trying to use our Splunk environment as a replacement for an older syslog server. We have multiple indexers, and we've set up a load-balancer in front of them to handle packets coming on on UDP port 514 and spread the packets out across the indexers. That part works well, but I'm having trouble with the appropriate props and transforms configurations to get those incoming events into the correct indexes. I assume I'm just overlooking something silly, but I need another set of eyes. We're using a small app that's being deployed from a cluster master, to the indexers, with these three configuration files: inputs.conf (yes, port 5140 is intentional, the load balancer handles the port translation)   [udp:5140] disabled = 0 connection_host = ip source = syslog sourcetype = syslog   props.conf:   [source::udp:5140] TRANSFORMS = override_index_f5, override_sourcetype_f5   transforms.conf:   [override_index_f5] SOURCE_KEY = _raw REGEX = (.*)f5-svc-ip=(.*) DEST_KEY = _MetaData:Index FORMAT = f5_connlog [override_sourcetype_f5] SOURCE_KEY = _raw REGEX = (.*)f5-svc-ip=(.*) DEST_KEY = MetaData:Sourcetype FORMAT = sourcetype::f5:connection-log   The intent of the above is to take events that look like this: Jul 14 09:22:33 10.24.43.13 LOCAL1.INFO: Jul 14 2021 09:22:33 f5-svc-ip=1.2.3.201, f5-svc-port=636, externalip=2.3.4.91, externalport=13703, internalip=5.6.7.9, internalport=13703 and route them to the "f5_connlog" index with the "f5:connection-log" sourcetype. Instead, these events are landing in the "main" index (since no other index is specified), with the "syslog" sourcetype. I assume that's happening because the events aren't matching, but the regex I'm using is about as simple as can be. (Obviously, once I figure out what I'm doing wrong, there will be more transforms, but this is a small simple test case.) So, wise folks, what am I overlooking? As a related question, is it possible to perform multiple actions on a single match? (In the above, I'm using the same source_key and same regex, so is it possible to combine the sourcetype and index transforms into a single stanza? I know they're two separate things, but it just feels slightly redundant to have to run the same regex twice.)

Hi, I updated my Splunk app in Splunkbase yesterday, receiving the correct Splunk AppInspect certification. However, when installing the app on a Splunk Cloud instance (from the "Browse More Apps"), version 1.0.0 is installed instead of 1.0.2. The app also shows up as "Last Updated: an hour ago", but still installs the wrong version. I made sure to update the build in the [install] stanza of the app.conf file, as well as the versions in the app.conf and app.manifest. Any ideas?  

Hi, I just finished creating my Splunk App, however for some reason the app isn't available for Splunk Enterprise (only Splunk Cloud) - here is an image of the "compatibility" section in Splunkbase. When I try to find the app in the Enterprise App "Store" it isn't there. Something I thought might have happened  was that I didn't add the following section to the manifest. "platformRequirements": { "splunk": { "Enterprise": "*" } },  However even after adding it, the app still isn't available for Splunk Enterprise.. Has this happened to anyone?